On Tue, Oct 28, 2008 at 04:24:02PM +0100, Hans Vosbergen wrote:
> Hi Misc,
>
> I am trying to make OpenBGPD work as a route-server for a little hobby
> project I am working on.
>
> As it's very hard to find configuration examples for this usage on the web i
> have to turn here.
>
> What I am trying to achieve:
> - A route-server acting as a transparent route distributor.
> - Control by neighbours who their prefixes are announced to, based on
> communities.
>
> Making OpenBGP work as a transparent AS was the easy part. However I'm stuck
> in the communities control part.
>
> How it is supposed to work, my route-server has AS1234 in my test
> environment.
>
> If a neighbour announces:
> 1. { community 1234:1234 } -- Their prefixes will be announced to EVERY
> other neighbour.
> 2. { community 1234:<as>} -- Their prefixes will ONLY be announced to <AS>,
> ie: 1234:8943 will only send the prefixes to AS8943.
> 3. { community 1234:1234 1234:<AS> } -- Their prefixes will be announced to
> every other neighbour EXCEPT <AS>.
>
> I have been able to achieve the first 2 ways the prefix control should work,
> but I can't manage to get the 3rd to work. Before moving to OpenBGPD I
> managed to produce the way I want it to work in Quagga but I simply do not
> want to use that.
>
> Would anyone have an idea on how to make OpenBGPD not announce prefixes to
> specific neighbours if they appear in the 1234:1234 1234:<AS> list?
>
The route server I set up uses more or less this config:
# global configuration
AS $ASNUM
router-id $IP
transparent-as yes
network $LAN
group RS {
announce all
max-prefix 5000 restart 15
set nexthop no-modify
# softreconfig in no
neighbor $LAN {
descr "RS peer"
passive
}
}
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any prefixlen 8 >< 24
# do not accept a default route, multicast and experimental networks
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 127.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
# we set's these communities to identify from where
# it learned a route:
match from any set community $ASNUM:neighbor-as
# 1. Prepend RS $ASNUM to *all* RS-Peers
match from group RS community $ASNUM:65500 set prepend-self 1
# 2. Prepend RS $ASNUM to *selected* RS-Peer N-times
# (N can be 1 to 3)
match to group RS community 65501:neighbor-as set prepend-self 1
match to group RS community 65502:neighbor-as set prepend-self 2
match to group RS community 65503:neighbor-as set prepend-self 3
# 3. Do *not* announce to RS-Peers with AS AAAA
deny to group RS community $ASNUM:neighbor-as
# 4. Do *not* announce to *ANY* RS-Peers
deny to group RS community $ASNUM:65535
# 5. Prepend own announcement by one
match to group RS prefix $LAN set prepend-self 1
Works like a champ without any additional per peer config :)
--
:wq Claudio
